安装以后运行,有时间的使用限制30天,OD载入,下bpx GetSystemTime断点,程序停在
004C4A72 /$ 55 push ebp
004C4A73 |. 8BEC mov ebp,esp
004C4A75 |. 81EC CC000000 sub esp,0CC
004C4A7B |. 8D45 F0 lea eax,dword ptr ss:[ebp-1>
004C4A7E |. 50 push eax ; /pLocaltime
004C4A7F |. FF15 F4125100 call dword ptr ds:[<&KERNEL>; \GetLocalTime
004C4A85 |. 8D45 E0 lea eax,dword ptr ss:[ebp-2>
004C4A88 |. 50 push eax ; /pSystemTime
004C4A89 |. FF15 F8125100 call dword ptr ds:[<&KERNEL>; \GetSystemTime
004C4A8F |. 66:8B45 EA mov ax,word ptr ss:[ebp-16]
004C4A93 |. 66:3B05 62605A00 cmp ax,word ptr ds:[5A6062]
004C4A9A |. 75 3B jnz short sview.004C4AD7
004C4A9C |. 66:8B45 E8 mov ax,word ptr ss:[ebp-18]
004C4AA0 |. 66:3B05 60605A00 cmp ax,word ptr ds:[5A6060]
004C4AA7 |. 75 2E jnz short sview.004C4AD7
004C4AA9 |. 66:8B45 E6 mov ax,word ptr ss:[ebp-1A]
004C4AAD |. 66:3B05 5E605A00 cmp ax,word ptr ds:[5A605E]
004C4AB4 |. 75 21 jnz short sview.004C4AD7
004C4AB6 |. 66:8B45 E2 mov ax,word ptr ss:[ebp-1E]
004C4ABA |. 66:3B05 5A605A00 cmp ax,word ptr ds:[5A605A]
004C4AC1 |. 75 14 jnz short sview.004C4AD7
查看调用关系,得知调用地址为:
调用堆栈
地址 堆栈 函数例程 / 参数 调用来自 框架
0012ECF8 0045D59D sview.004C4A72 sview.0045D598 0012ECF4
0012ED5C 0045DDAC sview.0045D580 sview.0045DDA7
0012ED68 00407D87 sview.0045DDA0 sview.00407D82
0012FF38 004C7495 sview.00407572 sview.<ModuleEntryPoint>+0DB
0012FF3C 00400000 Arg1 = 00400000
0012FF40 00000000 Arg2 = 00000000
0012FF44 00132BDE Arg3 = 00132BDE
0012FF48 0000000A Arg4 = 0000000A
断点在最上层调用:004C748F |. 50 push eax
调用函数后程序已经执行,断点在第二层函数调用分析。
断点在
00407DCF |. 53 push ebx
重新加载执行,一路F8发现到 00407DD0时候跳出超过使用时间限制的对话框
00407D7D |> \68 A89D5100 push sview.00519DA8 ; ASCII "***2***0***2****"
00407D82 |. E8 19600500 call sview.0045DDA0
00407D87 |. 83F8 FF cmp eax,-1
00407D8A |. 59 pop ecx
00407D8B |. 75 6A jnz short sview.00407DF7
00407D8D |. 391D 78D55700 cmp dword ptr ds:[57D578],ebx
00407D93 |. 74 45 je short sview.00407DDA
00407D95 |. 391D 74D55700 cmp dword ptr ds:[57D574],ebx
00407D9B |. BE F26C5600 mov esi,sview.00566CF2 ; ASCII "This is %s.
Its evaluation period expired on %s.
Please install a production copy from
www.swiftview.com/dlprod.htm now to continue operation."
00407DA0 |. 75 05 jnz short sview.00407DA7
00407DA2 |. BE 2B6E5600 mov esi,sview.00566E2B ; ASCII "This is %s.
Its evaluation period expired on %s.
License your entire LAN, WAN, or web site for one low price.
Visit us at www.swiftview.com/buy0.htm, email to
sales@swiftview.com, or phone 800-304-5941x2 or 971-223-2600x2 to find out ho"...
00407DA7 |> FF35 5CD35700 push dword ptr ds:[57D35C] ; sview.00519DA8
00407DAD |. E8 4E600500 call sview.0045DE00
00407DB2 |. 50 push eax
00407DB3 |. 68 C99D5100 push sview.00519DC9 ; ASCII "SwiftView(R) for Windows"
00407DB8 |. 56 push esi
00407DB9 |. BE 40415B00 mov esi,sview.005B4140 ; ASCII "This is SwiftView(R) for Windows.
Its evaluation period expired on 2005-08-21.
It was first installed on 2005-07-22.
License your entire LAN, WAN, or web site for one low price.
Visit us at www.swiftview.com/buy0.htm, email to
sales@swi"...
00407DBE |. 56 push esi
00407DBF |. E8 ACDA0B00 call sview.004C5870
00407DC4 |. 68 10100000 push 1010
00407DC9 |. 68 233C5400 push sview.00543C23 ; ASCII "Licensing Problem"
00407DCE |. 56 push esi
00407DCF |. 53 push ebx
00407DD0 |. E8 3B0D0500 call sview.00458B10 ×××××××这里为关键
查看上面代码发现只有两个可以跳过调用的判断
00407D87 |. 83F8 FF cmp eax,-1
。。。
00407D8D |. 391D 78D55700 cmp dword ptr ds:[57D578],ebx
调试一下正常版本的流程发现,在00407D87处发生跳转,所以断定它为关键判断,找到文件对应处修改下面
00407D8B |. /75 6A jnz short sview.00407DF7
为jnz为jmp,保存为swiftviewnew.exe,调整时间发现正常运行。
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
支持支持.
